Transcription

1 2 September 2015 Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 We support the efforts of EU legislators to create a harmonised data protection framework. The draft Data Protection Regulation ( Regulation ) will not only set higher standards for the protection of individuals privacy, it will also establish the same rules for all companies. Eliminating a large number of varying data protection rules will be a major step forward for companies operating cross-border. The EU institutions aim to achieve a balance between business and consumer interests. This balance should be fair and we therefore support a risk-based approach. A high level of individual protection should be balanced with adequate safeguards for businesses legitimate commercial use of personal data. One of our priorities is for a Regulation that will create fair and reasonable rules for all companies processing personal data. The Regulation should therefore be appropriate for all types of business models and avoid imposing disproportionate obligations on companies that process data as a subsidiary activity to their main business. Below we focus on the most important issues from retail and wholesale perspective. Full Harmonisation We hope that the original aim of creating a fully harmonised data protection framework will not be abandoned. The number of provisions that allow scope for Member States to diverge in their implementation of some of the Regulation undermines true harmonisation: (collective redress independent from the data subject s mandate (Art.76.2), employment (Art.82), data protection officer (Art.35), public authorities (Art.1), etc.). If this approach is pursued, companies will still have to deal with a patchwork of rules. The original purpose of the Regulation will erode, which will seriously harm the EU s competitiveness towards third country businesses. A specific example: Establishing a compliance hotline within a global company Currently, establishing a compliance hotline across the EU is subjected to different rules and requires separate approvals/notifications. For example, while anonymous reporting is prohibited in some countries, in others it is necessary to provide an anonymous reporting channel. It often takes years to have all the group companies integrated in the same system. Even under the draft Regulation these issues would continue. The Regulation leaves it up to the Member States to adopt data protection rules in the employment context. This means that for example consulting the hotline with the works council would be subject to different rules across the EU.

2 Data Protection Officer (DPO) The experience of our member companies shows that qualified, independent and reasonably resourced DPOs can play a major role in ensuring a company s privacy compliance. An inhouse DPO knows the company best. Therefore, their assessment is fundamental for ensuring privacy compliance. At the same time, appointing a DPO is a non-bureaucratic approach and a cost saving solution for some companies. The rules for the appointment and the qualifications of a DPO should be the same across the EU. We are concerned that if Member States are free to decide on a mandatory or voluntary DPO appointment, this would lead to divergent standards within the EU and would result in an uneven playing field for companies operating cross-border. This would be against the spirit of the Regulation. Ideally, the DPO appointment should depend on the risks involved in the company s data processing operations and on the nature of the business (whether it is purely data-driven or whether data processing is a subsidiary activity to the main business). Therefore, the SMEs and micro-enterprises which do not process personal data as their core business (for example smaller retailers) should be exempt from appointing a DPO. If thresholds are to be set, they should not depend on the mere number of employees or consumers whose personal data are being processed but on the degree of risk attached to the processing. We therefore propose to revise Article 35 as follows: 1. The controller and the processor shall designate a data protection officer, where: (a) the processing is carried out by a public authority or body; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purpose, the number of the individuals concerned or individuals processing personal data imply regular and systematic monitoring of data subjects or high level of risk. [The text in 1(c) is based on the Commission s proposal modifications proposed by EuroCommerce.] 1a (NEW). The obligation referred to in paragraph 1 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage [The text in 1a(NEW) is new and has been proposed by EuroCommerce.] We also believe that there should be clearer incentives for appointing a DPO, such as: eliminating the need to consult a regulator in case of risky processing; or exempting group companies from putting in place data processing and transfer agreements if a DPO is appointed (group privilege). Many of our members operating internationally have experienced that signing the intra-group agreements has not automatically increased the level of data protection but rather it led to more administrative burden. In group companies any disputes arising from non-compliance are solved internally based on internal data protection policies and practices. We therefore support revising Article 34 as follows: 2. The controller or processor acting on the controller's behalf shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: [The text in bold has been already proposed by the EP. We support this proposal.] 2

3 We also support revising Article 22 as follows: 3a. The controller that appointed a data protection officer shall have the right to transmit personal data inside the EU within the group of undertakings the controller is part of, where such processing is necessary for legitimate internal administrative purposes between connected business areas of the group of undertakings and an adequate level of data protection as well as the interests of the data subjects are safeguarded by internal data protection provisions or equivalent codes of conduct as referred to in Article 38. [The text in 3a has been proposed by the EP we support this proposal and suggest additional changes in bold/italics.] Fines We support dissuasive level of fines for data protection violations. However, we are not in favour of the Regulation s approach of basing those fines on the company s global annual turnover. This approach disconnects the sanction from the actual violation. This may be good in targeting companies that process personal data as their core business. For companies processing personal data as a subsidiary activity to their main business (for example selling goods) this would be disproportionate. We think that as a rule of law, the calculation of fines should be linked primarily to a combination of: (1) the profit or the generated savings that a company made in relation to the data processing that involved the violation, and (2) the actual risk or violation to the data subjects fundamental rights, and (3) the nature of the business (purely data-driven or data processing as a subsidiary activity to the main business). In order to achieve fair and appropriate results, a company s annual turnover can only be of minor interest and if at all serve as a mere overall cap. Profiling Data analysis is crucial for the development of the commerce sector to be more effective and innovative. Profiling not only allows customers to receive offers that are relevant to their needs, rather than being bothered by mass mailings covering products they do not want. Profiling is also used to evaluate patterns of consumer behaviour to improve measures needed for fraud detection, credit evaluation, managing product safety, warranties, purchase and transportation management and product and process quality improvement. We support better privacy safeguards related to profiling. However, we think that rather than creating a right not to be subject to profiling, profiling should be allowed under certain conditions the main condition being that profiling does not result in harm to individuals. Therefore, we support a risk-based approach and requirement for explicit consent for profiling likely to cause harm. Profiling that would cause insignificant effects and of which the consumer would need to be properly informed, could be possible under other legal bases, such as legitimate interest. Consent We support the requirement of unambiguous consent for the processing of non-sensitive data. Calling for explicit consent will increase burdens for businesses and will be annoying for consumers. Obliging consumers to carry out repeated box ticking could mean that they risk ignoring important information about how their personal data are being processed. 3

4 We therefore support revising Article 6 as follows: 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given unambiguous consent to the processing of their personal data for one or more specific purposes; [The text in 1a has been revised by the Council we support this proposal.] Data portability We are concerned that a provision that was meant to address mainly user-generated data and social media could have unintended consequences for retail if interpreted too broadly. The Regulation should clarify that the right to data portability would not oblige businesses to disclose confidential business information. Any provision that would require a retailer to transfer consumer profile information into a competing retailer s system could have serious competition implications. Therefore, we support including safeguards, such as intellectual property rights. Trade secrets should also be added. We therefore propose revising Article 18 as follows: 2aa. The right referred to in paragraph 2 shall not apply, if disclosing personal data would infringe intellectual property rights or reveal trade secrets in relation to the processing of those personal data. [The text in 2aa has been proposed by the Council we support this proposal and suggest additional changes in bold/italics.] Data Protection Impact Assessment (PIA) and record keeping We are in favour of PIA as a mechanism helping companies maintain their corporate data protection responsibility but combined with a risk-based approach. This means that only certain risky processing operations should require a PIA. The fact that many individuals personal data are being processed is not risky per se. It is the nature and the consequences of the processing that matter. We are sceptical about the requirement to consult on the intended risky processing with individuals or their representatives (Art.33.4). It is unclear how this obligation would work in practice, for example whether only notification rather than agreement of the concerned persons was required, what would be the required timeframe, etc. The provision is vague and would lead to uncertainty. There are already sufficient safeguards in the draft Regulation, such as an obligation to consult a regulator (or a DPO) if there are high risks involved in the processing (Art.34). We therefore propose to delete Article The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations. [The deletion of point 4 has been proposed by the Parliament we support this deletion.] We also think that requiring data controllers to perform a data protection compliance review (Art. 32a) and to review the PIA every two years (Art.33a) will be extremely burdensome, especially for the SMEs. We think that the here are already sufficient safeguards in the draft Regulation, as above. We therefore propose to delete Article 32a and 33a. 4

5 In addition we support that SMEs are exempt from certain compliance obligations, such as record keeping obligations (Art. 28) as long as the processing does not involve high risks for individuals. For many small shops whose core activities do not involve the processing of personal data the prescriptive record keeping duties would add additional burdens and costs. We support a risk-based approach. This means that there should be varying levels of obligation based on the risk of the data processing undertaken by a particular business. We therefore support revising Article 28 as follows: 4. The obligations referred to in paragraphs 1 and 2a shall not apply to: (b) an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage [The text in 4b has been revised by the Council we support Council s proposal.] Encouraging Corporate Responsibility We believe that the best data protection standards are set within the companies that build their robust privacy culture. We therefore support the idea that the Regulation encourages companies to do so even more by offering incentives and regulatory reliefs. In particular, the following measures were a big step forward in improving the overall level of data protection amongst our members: Appointing an independent and qualified DPO Implementing a code of conduct Undergoing external audits / certification We support the approach of promoting these measures by law. The following are particularly suited as possible incentives: Facilitating intra-group data transfers for internal or administrative purposes Providing regulatory reliefs for companies that have adopted codes of conduct Considering mitigating factors when imposing sanctions Doing away with registration and reporting requirements We remain fully at your disposal for any further information we can give you on this topic. 5

6 Comparative chart of the draft General Data Protection Regulation with the retail and wholesale sector recommendations Article number Commission s proposal EP s position Council s position Retail/wholesale recommendations 6 (a) the data subject has given consent to the processing of their personal data for one or more specific purposes; (a) the data subject has given (explicit) consent to the processing of their personal data for one or more specific purposes; 1. (a) the data subject has given unambiguous consent to the processing of their personal data for one or more specific purposes; 1. (a) the data subject has given unambiguous consent to the processing of their personal data for one or more specific purposes; 18 2aa. The right referred to in paragraph 2 shall not apply if disclosing personal data would infringe intellectual property rights in relation to the processing of those personal data. 22 3a. The controller shall have the right to transmit personal data inside the Union within the group of undertakings the controller is part of, where such processing is necessary for legitimate internal administrative purposes between connected business areas of the group of undertakings and an adequate level of data protection as well as the interests of the data subjects are safeguarded by internal data protection provisions or equivalent codes of conduct as referred to in Article 38. 2aa. The right referred to in paragraph 2 shall not apply, if disclosing personal data would infringe intellectual property rights or reveal trade secrets in relation to the processing of those personal data. 3a. The controller that appointed a data protection officer shall have the right to transmit personal data inside the EU within the group of undertakings the controller is part of, where such processing is necessary for legitimate internal administrative purposes between connected business areas of the group of undertakings and an adequate level of data protection as well as the interests of the data subjects are safeguarded by internal data protection provisions or equivalent codes of conduct as referred to in Article 38.

7 28 4. b) an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities. 32a Deleted 4 (b) an enterprise or an organisation employing fewer than 250 persons that is unless the processing personal data only as an activity ancillary to its main activities it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage Respect to Risk 1. The controller, or where applicable the processor, shall carry out a risk analysis of the potential impact of the intended data processing on the rights and freedoms of the data subjects, assessing whether its processing operations are likely to present specific risks 2. The following processing operations are likely to present specific risks: (a) processing of personal data relating to more than 5000 data subjects during any consecutive 12- month period; (b) processing of special categories of personal data as referred to in Article 9(1), location data or data on children or employees in large scale filing systems; (c) profiling on which measures are based that produce legal effects concerning the individual or 4 (b) an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage. Deleted 7

8 similarly significantly affect the individual; (d) processing of personal data for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale; (e) automated monitoring of publicly accessible areas on a large scale; (f) other processing operations for which the consultation of the data protection officer or supervisory authority is required pursuant to point (b) of Article 34(2); (g) where a personal data breach would likely adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject; (h) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects; (i) where personal data are made accessible to a number of persons which cannot reasonably be expected to be limited. 3. According to the result of the risk analysis: (a) where any of the processing operations referred to in points (a) or (b) of paragraph 2 exist, controllers not established in the 8

9 33 4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of Union shall designate a representative in the Union in line with the requirements and exemptions laid down in Article 25; (b) where any of the processing operations referred to in points (a), (b) or (h)of paragraph 2 exist, the controller shall designate a data protection officer in line with the requirements and exemptions laid down in Article 35; (c) where any of the processing operations referred to in points (a), (b), (c), (d), (e), (f), (g) or (h) of paragraph 2 exist, the controller or the processor acting on the controller's behalf shall carry out a data protection impact assessment pursuant to Article 33; (d) where processing operations referred to in point (f) of paragraph 2 exist, the controller shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority pursuant to Article The risk analysis shall be reviewed at the latest after one year, or immediately, if the nature, the scope or the purposes of the data processing operations change significantly. Where pursuant to point (c) of paragraph 3 the controller is not obliged to carry out a data protection impact assessment, the risk analysis shall be documented. Deleted 4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of Deleted 9

10 33a the processing operations. Data protection compliance review 1. At the latest two years after the carrying out of an impact assessment pursuant to Article 33(1), the controller or the processor acting on the controller's behalf shall carry out a compliance review. This compliance review shall demonstrate that the processing of personal data is performed in compliance with the data protection impact assessment. 2. The compliance review shall be carried out periodically at least once every two years, or immediately when there is a change in the specific risks presented by the processing operations. 3. Where the compliance review results show compliance inconsistencies, the compliance review shall include recommendations on how to achieve full compliance. 4. The compliance review and its recommendations shall be documented. The controller and the processor and, if any, the controller's representative shall make the compliance review available, on request, to the supervisory authority. 5. If the controller or the processor has designated a data protection officer, he or she shall be involved in the compliance review proceeding. the processing operations. Deleted The controller or processor acting on the controller's behalf 2. The controller or processor acting on the controller's behalf 2. The controller or processor acting on the controller's behalf 2. The controller or processor acting on the controller's behalf 10

11 shall consult the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: shall consult the supervisory authority prior to the processing of personal data where a data protection impact assessment as provided for in Article 33 indicates that the in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the would result in a high risks involved for the data subjects where: in the absence of measures to be taken by the controller to mitigate the risk. shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body; or 1. The controller and the processor shall designate a data protection officer in any case where : (a) the processing is carried out by a public authority or body; or 1. The controller and or the processor may, or where required by Union or Member State law shall designate a data protection officer in any case where:. 1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body (b) the processing is carried out by an enterprise employing 250 persons or more; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. (b) the processing is carried out by an enterprise employing 250 persons or more a legal person and relates to more than 5000 data subjects in any consecutive 12-month period; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects; or (d) the core activities of the controller or the processor consist of processing special categories of data pursuant to Article 9(1), location data or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purpose, the number of the individuals concerned or individuals processing personal data imply regular and systematic monitoring of data subjects or high level of risk. 11

12 data on children or employees in large scale filing systems (a) (NEW). The obligation referred to in paragraph 1 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage. 12

Comments and proposals on the Chapter IV of the General Data Protection Regulation Ahead of the trialogue negotiations later this month, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

Comments and proposals on the Chapter II of the General Data Protection Regulation Ahead of the trialogue negotiations in September, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

A guide for in-house lawyers June 2015 The Proposed EU General Data Protection Regulation Index Introduction to the Regulation - 3 Progress of the Regulation - 4 Using this Guide - 5 Conceptual Overview

PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard

slaughter and may The new EU Data Protection Regulation revolution or evolution? BRIEFING April 2012 Reform of Europe s data protection regime moved one step closer this January with the publication of

101010 100101 1010 101 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) 101 101 1) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against

Today, our personal information is being collected, shared, stored and analysed everywhere. Whether you are browsing the internet, talking to a friend or making an online purchase, personal data collection

EUROPEAN PARLIAMT 2009-2014 Committee on Civil Liberties, Justice and Home Affairs 17.12.2012 2012/0011(COD) ***I DRAFT REPORT on the proposal for a regulation of the European Parliament and of the Council

1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

Analysis The Proposed Data Protection Regulation: What has the Council agreed so far? Steve Peers, Professor of Law, University of Essex Twitter: @StevePeers 8 December 2014 Introduction Back in January

The reform of the EU Data Protection framework - Building trust in a digital and global world 9/10 October 2012 Questionnaire addressed to national Parliaments Please, find attached a number of questions

24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )

EN ECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK of 12 November 2015 on the regulation of companies acquiring credit (CON/2015/45) Introduction and legal basis On 5 November 2015 the European Central

Accountability: Data Governance for the Evolving Digital Marketplace 1 1 For the past three years, the Centre for Information Policy Leadership at Hunton & Williams LLP has served as secretariat for the

Consultation document on the Review of the Insurance Mediation Directive (IMD) Commission Staff Working Paper This document is a working document of the Internal Market and Services Directorate General

Option Table - Directive on Statutory Audits of Annual and Consolidated Accounts The purpose of this document is to highlight the changes in the options available to Member States and Competent Authorities

Questions and answers 1- What is the purpose of The Initiative? Why are we doing this? The purpose of the Supply Chain Initiative is to promote fair business practices in the food supply chain as a basis

[Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-

D1391E-2012 29.10.2012 EUROPEAN BANKING FEDERATION PROPOSED AMENDMENTS TO THE EUROPEAN COMMISSION PROPOSAL FOR A REGULATION ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA

Comparison of the Parliament and Council text on the General Data Protection Regulation General comments The Council text and the Parliament text are both based on the Commission's proposal and as such

Is this email not displaying correctly? Try the web version or print version. ISSUE 02 European Privacy Reporter An Update on Legal Developments in European Privacy and Data Protection November 2012 In

EUROPEAN COMMISSION Brussels, XXX [ ](2013) XXX draft COMMISSION REGULATION (EU) No /.. of XXX on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC on privacy

International Data Transfer Agreement Standard Contractual Clauses (processors) For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third

Ref.:EBF_001314 Brussels, 17 June 2013 Launched in 1960, the European Banking Federation is the voice of the European banking sector from the European Union and European Free Trade Association countries.

Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing

Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?

International Chamber of Commerce The world business organization Policy Statement Employee privacy, data protection and human resources Prepared by the Commission on E-Business, IT and Telecoms I. Introduction

Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June

TEXTUAL PROPOSAL POSSIBLE PROVISIONS ON STATE ENTERPRISES AND ENTERPRISES GRANTED SPECIAL OR EXCLUSIVE RIGHTS OR PRIVILEGES In line with the proposed content developed in the Initial Position Paper proposed

Do you have a private life at your workplace? Privacy in the workplace in EC institutions and bodies Giovanni Buttarelli In the course of his supervisory activities, the EDPS has published positions on

DATA PROCESSING AGREEMENT This Data Processing Agreement ( DPA ) forms part of the master agreement between Customer and CA (the Agreement ) to reflect the parties agreement with regard to the Processing

EUROPEAN COMMISSION Brussels, XXX [ ](2011) XXX draft COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text

DRAFT DATA PROTECTION REGULATION BRIEFING BY RSA INSURANCE GROUP (RSA) 17 July 2012 Introduction This paper outlines the views of RSA Insurance Group on the draft Regulation on the protection of individuals

Act CLXV of 2013 on Complaints and Public Interest Disclosures The National Assembly, committed to increasing public confidence in the functioning of public bodies, recognising the importance of complaints

EU DATA PROTECTION REFORM The implications for Lend.io (a fin-tech start-up invented by Coadec and techuk) In order to better understand the implications of proposed EU data protection regulations on European

CONSULTATION PAPER 80 Group insurance arrangements May 2007 What this paper is about 1 It is common for a variety of organisations, such as sporting and community associations (e.g. football clubs or surf